🇨🇳

Tick

APT Group Information theft and espionage 37 zero-day CVEs ETDA ✓

Also Known As 8 names

BRONZE BUTLER G0060 Nian PLA Unit 61419 REDBALDKNIGHT STALKER PANDA Stalker Taurus Swirl Typhoon

Target Countries 26

Countries highlighted in red

Albania Australia Belgium Brazil Canada Chile China Germany France United Kingdom Hong Kong Ireland Israel India Islamic Republic of Iran Italy Jordan Japan Republic of Korea Nigeria Singapore Province of China Taiwan Ukraine United States Bolivarian Republic of Venezuela Vietnam

Sectors Targeted

Critical infrastructure Religious Organizations 8131 Commercial Banking 52211 Engineering Management, Scientific, and Technical Consulting Services 5416 Periodical Publishers 51112 Grantmaking and Giving Services 8132 Civic and Social Organizations 8134 Computer Systems Design and Related Services 54151 Freight Transportation Arrangement 48851 Industrial Oil and Gas Extraction 211 Water Transportation 483 Libraries and Archives 51912 Real Estate 531 Justice, Public Order, and Safety Activities 9221 Government Computer Systems Design Services 541512 National Security and International Affairs 928110 Human Resources Consulting Services 541612 Offices of Lawyers 541110 Air Transportation 481 Promoters of Performing Arts, Sports, and Similar Events 7113 Technology Educational Support Services 6117 Personal Care Services 8121 Investigation, Guard, and Armored Car Services 56161 Hospitals 622 Truck Transportation 484 Internet Publishing and Broadcasting and Web Search Portals 51913 High-Tech Data Processing, Hosting, and Related Services 51821 National Security and International Affairs 9281 Defense Convention and Trade Show Organizers 56192 Spectator Sports 7112 Manufacturing Media Construction 23 Employment Placement Agencies and Executive Search Services 56131 Motion Picture and Video Production 51211 International relations Business Schools and Computer and Management Training 6114 Finance and Insurance 52 Accommodation 721 Telecommunications 517 Motion Picture and Video Industries 5121 Performing Arts Companies 7111 Research and Development in the Social Sciences and Humanities 54172

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

Malware Families 9

ccleaner_backdoor

broler

8t_dropper

zhmimikatz

win.shadow_rat

datper

node_rat

rarstar

xxmm

MITRE ATT&CK 117

T1003 - OS Credential Dumping T1003.001 T1005 T1007 T1008 T1011 T1012 T1016 - System Network Configuration Discovery T1018 T1021 - Remote Services T1021.001 - Remote Desktop Protocol T1027 - Obfuscated Files or Information T1027.001 T1027.003 T1033 T1036 - Masquerading T1036.002 T1036.005 T1039 T1041 - Exfiltration Over C2 Channel T1047 T1048 T1053 T1053.002 T1053.005 T1055 - Process Injection T1056 - Input Capture T1057 T1059 - Command and Scripting Interpreter T1059.001 T1059.003 T1059.005 T1059.006 T1060 T1068 - Exploitation for Privilege Escalation T1070 T1070.004 T1071 - Application Layer Protocol T1071.001 T1080 T1081 T1082 - System Information Discovery T1083 - File and Directory Discovery T1085 T1086 T1087 T1087.002 T1095 T1102 - Web Service T1102.001 T1105 - Ingress Tool Transfer T1106 T1112 T1113 T1114.001 T1115 - Clipboard Data T1119 T1120 T1124 T1130 T1132 - Data Encoding T1132.001 T1133 - External Remote Services T1135 T1137 T1140 - Deobfuscate/Decode Files or Information T1170 T1176 - Browser Extensions T1189 T1190 - Exploit Public-Facing Application T1195 T1199 T1203 T1204 T1204.002 T1210 - Exploitation of Remote Services T1217 T1218 T1489 T1496 - Resource Hijacking T1497 T1497.003 T1503 T1505 T1518 T1530 T1531 - Account Access Removal T1539 T1543 T1547 T1547.001 T1548 T1548.002 T1550 T1550.003 T1552 T1553 T1555 T1560 - Archive Collected Data T1560.001 T1562 - Impair Defenses T1562.001 T1566 - Phishing T1566.001 T1567 - Exfiltration Over Web Service T1569 T1570 - Lateral Tool Transfer T1571 T1572 - Protocol Tunneling T1573 T1573.001 T1574 - Hijack Execution Flow T1574.001 T1574.002 T1588 T1588.002 T1685

Related Zero-Days 37

CVE-2019-19781 CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065 CVE-2021-42321 CVE-2022-30190 CVE-2022-41082 CVE-2023-22515 CVE-2023-46805 CVE-2024-1086 CVE-2024-12356 CVE-2024-21887 CVE-2024-24919 CVE-2024-3400 CVE-2024-47575 CVE-2024-50623 CVE-2025-0282 CVE-2025-10035 CVE-2025-10585 CVE-2025-11371 CVE-2025-14611 CVE-2025-20333 CVE-2025-20362 CVE-2025-22457 CVE-2025-24201 CVE-2025-2775 CVE-2025-2783 CVE-2025-31200 CVE-2025-31201 CVE-2025-37164 CVE-2025-38352 CVE-2025-4664 CVE-2025-55182 CVE-2025-58034 CVE-2025-61882 CVE-2025-61932

Known Names 9 entries

Bronze Butler SecureWorks

CTG-2006 SecureWorks

Tick Symantec

TEMP.Tick FireEye

RedBaldNight Trend Micro

Stalker Panda Crowdstrike

Stalker Taurus Palo Alto

Swirl Typhoon Microsoft

G0060 MITRE

Observed Target Countries 8

Based on ETDA data — countries highlighted in red

China Hong Kong Japan Russia Singapore South Korea Taiwan USA

Description

(SecureWorks) CTU analysis indicates that Bronze Butler primarily targets organizations located in Japan. The threat group has sought unauthorized access to networks of organizations associated with critical infrastructure, heavy industry, manufacturing, and international relations. Secureworks analysts have observed Bronze Bulter exfiltrating the following categories of data: • Intellectual property related to technology and development • Product specification • Sensitive business and sales-related information • Network and system configuration files • Email messages and meeting minutes The focus on intellectual property, product details, and corporate information suggests that the group seeks information that they believe might be of value to competing organizations. The diverse targeting suggests that Bronze Bulter may be tasked by multiple teams or organizations with varying priorities.

Tools Used 16

9002 RAT 8.t Dropper Blogspot Daserf Datper Elirks Gh0st RAT gsecdump HomamDownloader Lilith RAT Mimikatz Minzen rarstar ShadowPad Winnti SymonLoader Windows Credentials Editor

Operations 8

2015-07 Symantec discovered the most recent wave of Tick attacks in July 2015, when the group compromised three different Japanese websites with a Flash (.swf) exploit to mount watering hole attacks. Visitors to these websites were infected with a downloader known as Gofarer (Downloader.Gofarer). Gofarer collects information about the compromised computer and then downloads and installs Daserf. https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan

2017-04 Wali is a backdoor used for targeted attacks. It gathers information about the compromised machines and their networks, in addition to stealing sensitive information and credentials. Wali’s operators use this information to move laterally in an organization and compromise more machines. https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors

2017-11 Daserf’s infection chain accordingly evolved, as shown below. It has several methods for infecting its targets of interest: spear phishing emails, watering hole attacks, and exploiting a remote code execution vulnerability (CVE-2016-7836, patched last March 2017) in SKYSEA Client View, an IT asset management software widely used in Japan. https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/

2018-06 Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/

2019 Operation “ENDTRADE” By the first half of 2019, we found that the group was able to zero in on specific industries in Japan from which it could steal proprietary information and classified data. We named this campaign “Operation ENDTRADE,” based on its targets. https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

2019-06 Breach of Mitsubishi Electric https://www.zdnet.com/article/mitsubishi-electric-discloses-security-breach-china-is-main-suspect/

2021-02 Exchange servers under siege from at least 10 APT groups https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

2021-03 The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/ https://asec.ahnlab.com/en/51340/

Reports & References 5

https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/ https://unit42.paloaltonetworks.com/unit42-tick-group-continues-attacks/ https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf

ETDA Profile

Bronze Butler, Tick, RedBaldNight, Stalker Panda

Origin

China

First Seen 2006

Sponsor State-sponsored, National University of Defense and Technology

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0060/

View on ETDA APT Groups ↗